#ifndef _NTSEAPI_H

/**
 * The NtPrivilegeObjectAuditAlarm routine generates an audit message in the security event log when a privilege is used to access an object.
 *
 * @param SubsystemName A pointer to a UNICODE_STRING specifying the name of the subsystem calling the function.
 * @param HandleId A pointer to a unique value representing the client's handle to the object.
 * @param ClientToken Handle to the access token representing the client.
 * @param DesiredAccess Access mask that specifies the access rights requested.
 * @param Privileges A pointer to a PRIVILEGE_SET structure that specifies the privileges used to gain access.
 * @param AccessGranted Specifies a flag that determines whether access was granted.
 * @return NTSTATUS Successful or errant status.
 */
NTSYSCALLAPI
NTSTATUS
NTAPI
NtPrivilegeObjectAuditAlarm(
    _In_ PCUNICODE_STRING SubsystemName,
    _In_opt_ PVOID HandleId,
    _In_ HANDLE ClientToken,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ PPRIVILEGE_SET Privileges,
    _In_ BOOLEAN AccessGranted
    );

#endif
View code on GitHub

#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwPrivilegeObjectAuditAlarm(
    _In_ PCUNICODE_STRING SubsystemName,
    _In_opt_ PVOID HandleId,
    _In_ HANDLE ClientToken,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ PPRIVILEGE_SET Privileges,
    _In_ BOOLEAN AccessGranted
    );

#endif
View code on GitHub

NtDoc

No description available.

Edit description on GitHub

NTinternals.net (undocumented.ntinternals.net)

Function NtPrivilegeObjectAuditAlarm doesn't work, as the most of other auditing functions...

SubsystemName

???

ObjectHandle

This can be any value.

ClientToken

HANDLE to Token Object opened with TOKEN_QUERY access.

DesiredAccess

???

ClientPrivileges

Pointer to PRIVILEGE_SET structure filled with valid data.

AccessGranted

???

Documented by

Tomasz Nowak

Requirements

Privilege: SE_AUDIT_PRIVILEGE

NtPrivilegeObjectAuditAlarm - NtDoc